BTW, I found another "gotcha". After turning off encryption stats off for the only encrypted database on the instance, encryption_state was still 1, and tempdb was showing up as encrypted. The drop DEK statement generated an error. I bounced the instance, no change. Finally I dropped the formerly encrypted database, and still got the error trying to drop the DEK. Finall I just tried removing the certificate, and it worked. The DEK was gone as well. Apparently there's also a known bug in updating the DMV for tempdb as well. It's described as "benign", but it certainly doesn't seem so when trying to back out the encryption, such as in this scenario.